I Am Not a Robot: Treating Your People Like People for Better Cybersecurity
Let’s face it, everyone makes mistakes. People are not robots. You can’t program them to do exactly what you want them to without fail. And treating your employees like the enemy when it comes to your cybersecurity, just for them being human, isn’t just bad leadership, but also won’t do anything to improve your overall security posture.
People aren’t always rational. That’s just a fact of life. Oftentimes, security analysts will focus on the bright shiny objects (the exploits getting big media attention) instead of the issues that truly pose the most risk to the organization. Cyberthreats can come from anywhere, and it is important to focus on the vulnerabilities that actually require attention, rather than the ones that the news outlets say you should worry about. Focusing solely on the issues with significant media hype tends to be highly problematic, since doing so diverts resources away from vulnerabilities that have higher impact on the organization in question.
But the question remains, how can one know what needs attention and what doesn’t? There are so many things that people have to be aware of (software, passwords, even the physical properties of the hardware) that it’s hard to keep track of what needs to be done. Netflix, of all companies, recognized this issue and decided to do something about it. As a solution, Netflix devised a tool called Stethoscope for its employees. Stethoscope tracks an array of things like software updates and faulty firewalls across all devices in the network to keep employees apprised of their specific situations. The interesting thing about Stethoscope is that it does not fix the problems it finds. Instead, it gives the user practical suggestions on what to do to fix issues in the system, leaving it up to the user to take the initiative to fix the issues themselves. Netflix recognized that their employees were capable of maintaining higher levels of cybersecurity, and just needed a little bit of extra help to do so. It worked well enough that they have made Stethoscope for consumer use.
When it comes down to it, people want to be cybersecure. They don’t want to be the reason behind a breach. Most employees simply don’t understand how to be better. And many of those who do understand the concepts behind better cybersecurity don’t know how to practically apply those concepts. Tools like Stethoscope put the responsibility for cybersecurity back in the hands of the users. Just like any other tools, they should be used to help the humans do their jobs better. They should never be seen as the alternative to classic education. They work because they are used in conjunction with employee education. Knowing what sort of threats are out there and what they look like can be the difference between losing millions of dollars and deleting an email. Understanding the normal patterns of the web and of your own work place’s network traffic is essential for discerning whether or not that network is secure.
A hardy first step is to educate employees about their network. Have your analysts show other employees what kind of numbers they are supposed to see and how they can distinguish the outliers from the rest of the data. Any time regular employees can catch minuscule issues before they glimpse the light of day, the more time your cyber analysts have to focus on bigger threats.
The next step is to implement processes that improve further upon the education-based foundation of your organization’s cybersecurity. These processes can be anything from reoccurring scheduled check-ups to weekly reports on current cyber trends. The goal is to provide constructive criticism and provide employees with opportunities for growth in the organization.
The third step, which many try to make the first and only step, is to ensure that all appropriate security software has been implemented. For an individual user, this could be as simple as a standard anti-virus program. For an established organization, this should be a well-developed physical- and digital-security system customized to fit company’s specific needs. In other words, a bank would not have the same cybersecurity needs as a hospital, as they would both require their own specialized programs. Due to a fear of employees leaving the company for other opportunities, many companies would rather take this route as the primary defense rather than put time and resources into properly training employees. We challenge you to ask not “What if I train them and they leave?” and instead ask “What if I don’t train them and they stay?” Which is really the riskier decision?
It is incredibly difficult to stay ahead of evolving cyberthreats. The security software of today is largely based on the threats of yesterday, meaning the only way to have a chance of keeping up is to rely on the human side of the equation. Treat your people like people, train them to the highest degree possible, and they will be the extra element that your organization needs to get and stay cybersecure. Treat them like machines, reprimand them every time they make a human mistake, and you’ll watch your organization crumble around you. People or robots. The choice is yours.
If you, your organization or company, or someone you know would like more information on our company or how to create a security plan that treats people like people, please do not hesitate to reach out to Mission Multiplier at firstname.lastname@example.org.